16. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability
Zones Edge
Locations
Your own
accreditation
Meet your own security objectives
Your own
certifications
Your own
external audits
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS consistent
baseline controls
Your ControlsAWS
https://d0.awsstatic.com/whitepapers/compliance/AWS_DOD_CSM_Reference_Architecture.pdf
38. CloudHSM
• Dedicated access to one or more HSM
devices that comply with government
standards (for example, FIPS 140-2,
Common Criteria)
• You control all access to your keys and
the application software that uses them
• Supported applications:
– Your custom software
– Third-party software
– AWS services: Amazon Redshift, RDS for Oracle
Comparing CloudHSM with KMS
KMS
• Highly available and durable key storage,
management, and auditable service
• Allows you to import keys
• Easily encrypt your data across AWS
services and within your own applications
based on policies you define
• Supported applications:
– Your custom software built with AWS SDKs/CLI
– AWS services (S3, EBS, RDS, Amazon Aurora,
Amazon Redshift, WorkMail, WorkSpaces,
CloudTrail, Elastic Transcoder)
53. VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject
60. Core Checks and Recommendations
Access to the six core Trusted Advisor checks to help increase the security and
performance of your environment.
Checks include:
Security: Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root
Account, EBS Public Snapshots, RDS Public Snapshots
Performance: Service Limits
Available to all AWScustomers
61. Available with Business or Enterprise support plans
Core Checks and Recommendations
Access to the full set of Trusted Advisor checks to help optimize your entire AWS
infrastructure.
Additional benefits include:
Notifications: Stay up-to-date with your AWS resource deployment with weekly
updates.
Programmatic access: Retrieve and refresh Trusted Advisor results
programmatically using AWS Support API.
66. Evolving the Practice of Security Architecture
• Security architecture as a separate function can no longer exist
• Static position papers,
architecture diagrams &
documents
• UI-dependent consoles
and technologies
• Auditing, assurance,
and compliance are
decoupled, separate
processes
Current Security
Architecture
Practice
67. Evolving the Practice of Security Architecture
• Security architecture can now be part of the ‘maker’ team
• Architecture artifacts
(design choices,
narrative, etc.)
committed to common
repositories
• Complete solutions
account for automation
• Solution architectures
are living
audit/compliance
artifacts and evidence
in a closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline Jenkins